< Home

Example for Configuring Unified Access for Wired and Wireless Users

Overview of Unified Access for Wired and Wireless Users

In practice, both wired and wireless users need to access one network. For example, the PCs and printers of a company connect to the network in wired mode, and laptops and mobile phones connect wirelessly. After unified access for wired and wireless users is configured on a network, both wired and wireless users can access the network and be managed in a unified manner.

Configuration Notes

  • For details about common WLAN configuration notes, see General Precautions for WLAN. For more deployment and configuration suggestions, see Wireless Network Deployment and Configuration Suggestions.

  • Configure a proper RADIUS packet retransmission timeout interval.

    For a large-scale or busy network, configure the shortest retransmission timeout interval for RADIUS request packets. When a long retransmission timeout interval is set, retransmission occupies system resources. A short retransmission timeout interval can improve the AC's packet processing capability.

    The default retransmission timeout interval for wireless users is 5 seconds, which is suitable for most wireless user authentication scenarios. When IP addresses of more than eight authentication servers are configured in a RADIUS server template, or 802.1X authentication is used, it is recommended that the retransmission timeout interval be set to 1 second to improve network processing efficiency.

  • From V200R011C10, WLAN configurations are automatically delivered, without the need of running the commit all command.

  • In this example, Portal authentication is used. To ensure network security, configure an appropriate security policy according to service requirements.

  • In tunnel forwarding mode, the management VLAN and service VLAN cannot be the same. If you set the forwarding mode to direct forwarding, you are not advised to configure the management VLAN and service VLAN to be the same.

  • In direct forwarding mode, configure port isolation on the interface directly connected to APs. If port isolation is not configured, many broadcast packets will be transmitted in the VLANs or WLAN users on different APs can directly communicate at Layer 2.

  • Configure the management VLAN and service VLAN:
    • In tunnel forwarding mode, service packets are encapsulated in a CAPWAP tunnel and forwarded to the AC. The AC then forwards the packets to the upper-layer network. Service packets and management packets can be forwarded normally only if the network between the AC and APs is added to the management VLAN and the network between the AC and upper-layer network is added to the service VLAN.
    • In direct forwarding mode, service packets are not encapsulated into a CAPWAP tunnel, but are directly forwarded to the upper-layer network. Service packets and management packets can be forwarded normally only if the network between APs and upper-layer network is added to the service VLAN and the network between the AC and APs is added to the management VLAN.
  • No ACK mechanism is provided for multicast packet transmission on air interfaces. In addition, wireless links are unstable. To ensure stable transmission of multicast packets, they are usually sent at low rates. If a large number of such multicast packets are sent from the network side, the air interfaces may be congested. You are advised to configure multicast packet suppression to reduce impact of a large number of low-rate multicast packets on the wireless network. Exercise caution when configuring the rate limit; otherwise, the multicast services may be affected.
    • In direct forwarding mode, you are advised to configure multicast packet suppression on switch interfaces connected to APs.
    • In tunnel forwarding mode, you are advised to configure multicast packet suppression in traffic profiles of the AC.
    For details on how to configure traffic suppression, see How Do I Configure Multicast Packet Suppression to Reduce Impact of a Large Number of Low-Rate Multicast Packets on the Wireless Network?.

  • Table 1 and Table 2 list applicable products and versions.

Networking Requirements

A hospital needs to deploy both a wired and a wireless network. To simplify management and maintenance, the administrator requires that wired and wireless users be centrally managed on the AC, non-authentication and Portal authentication be configured for the wired and wireless users respectively, and intra-AC roaming is enabled for wireless users.

As shown in Figure 1, the AC connects to the egress gateway Router in the uplink direction. In the downstream direction, the AC connects to and manages APs through access switches S5700-1 and S5700-2. S5700-1 is deployed on the first floor, and S5700-2 is deployed on the second floor. An AP2030DN is deployed in each room to provide both wired and wireless access. AP5030DNs are deployed in corridors to provide wireless network coverage. Both S5700-1 and S5700-2 are PoE switches and supply power to connected APs.

To facilitate network planning and management, the access switches are only used to transparently transmit data at Layer 2, and all gateways are configured on the AC.

The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

The following uses an AC running V200R009C00 as an example. The key configurations vary in different versions. For details, see the Command Reference in the actual version.

Figure 1 Networking for unified wired and wireless access

Data Planning

Table 1 Network data planning

Item

Interface

VLAN

Description

AC

GE1/0/1

100, 201

Connected to S5700-1

GE1/0/2

100, 202

Connected to S5700-2

GE1/0/3

200

Connected to the controller

GE1/0/4

300

Connected to the egress gateway

S5700-1

GE0/0/1

100, 201

Connected to the AC

GE0/0/2

100, 201

Connected to AP101

GE0/0/3

100, 201

Connected to AP102

GE0/0/4

100, 201

Connected to AP103

S5700-2

GE0/0/1

100, 202

Connected to the AC

GE0/0/2

100, 202

Connected to AP201

GE0/0/3

100, 202

Connected to AP202

GE0/0/4

100, 202

Connected to AP203

AP101 and AP102

Eth0/0/0

Eth0/0/1

GE0/0/0

201

GE0/0/0 connects to S5700-1.

Eth0/0/0 and Eth0/0/1 connects to wired users.

AP101 and AP102 are AP2030DNs and deployed in rooms on the first floor to provide both wired and wireless access.

AP103

-

-

AP103 is an AP5030DN and deployed in the corridor on the first floor to provide wireless access.

AP201 and AP202

Eth0/0/0

Eth0/0/1

GE0/0/0

202

GE0/0/0 connects to S5700-2.

Eth0/0/0 and Eth0/0/1 connects to wired users.

AP201 and AP202 are AP2030DNs and deployed in rooms on the second floor to provide both wired and wireless access.

AP203

-

-

AP203 is an AP5030DN and deployed in the corridor on the second floor to provide wireless access.
Table 2 Service data planning

Item

Data

Description

IP address of the AC's source interface

10.23.100.1/24

-

AP group
  • Name: ap-group1
  • Referenced profiles: VAP profile wlan-vap1, regulatory domain profile domain1, and radio profiles radio-2g and radio-5g

-
  • Name: ap-group2
  • Referenced profiles: VAP profile wlan-vap2, regulatory domain profile domain1, and radio profiles radio-2g and radio-5g

Portal access profile

  • Name: portal1

  • Referenced template: Portal server template portal1

-

Authentication profile

  • Name: portal1

  • Referenced profile: Portal access profile portal1

-

Regulatory domain profile
  • Name: domain1
  • Country code: CN

-

AP wired port profile

Name: wired1, wired2, wired3, or wired4

-

RRM profile

Name: rrm1

-

Radio profile

  • Name: radio-2g or radio-5g

  • Referenced profile: RRM profile rrm1

-

Security profile
  • Name: wlan-security
  • Security and authentication policy: OPEN

-

SSID profile
  • Name: wlan-ssid
  • SSID: hospital-wlan

-

Traffic profile

Name: traffic1

-

VAP profile
  • Name: wlan-vap1
  • SSID: hospital-wlan
  • Service data forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 101
  • Referenced profiles: security profile wlan-security, SSID profile wlan-ssid, authentication profile portal1, and traffic profile traffic1

Provides WLAN network coverage for the first floor of the building.
  • Name: wlan-vap2
  • SSID: hospital-wlan
  • Service data forwarding mode: tunnel forwarding
  • Service VLAN: VLAN 102
  • Referenced profiles: security profile wlan-security, SSID profile wlan-ssid, authentication profile portal1, and traffic profile traffic1

Provides WLAN network coverage for the second floor of the building.

DHCP server

The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.

-

AP gateway and IP address pool range

VLANIF 100: 10.23.100.1/24

10.23.100.2-10.23.100.254/24

-

Gateway and IP address pool range of wireless users

VLANIF 101: 10.23.101.1/24

10.23.101.2-10.23.101.254/24

-

VLANIF 102: 10.23.102.1/24

10.23.102.2-10.23.102.254/24

-

Gateway and IP address pool range of wired users

VLANIF 201: 10.23.201.1/24

10.23.201.2-10.23.201.254/24

-

VLANIF 202: 10.23.202.1/24

10.23.202.2-10.23.202.254/24

-

Server parameters
Authentication server:
  • IP address: 10.23.200.1
  • Port number: 1812
  • RADIUS shared key: Admin@123
  • The controller provides RADIUS server and Portal server functions; therefore, the controller IP address is used as the authentication server, accounting server, authorization server, and Portal server.
  • Configure a RADIUS accounting server to collect user login and logout information. The port numbers of the authentication server and accounting server must be the same as those of the RADIUS server.
  • Configure an authorization server to enable the RADIUS server to deliver authorization rules to the AC. The shared key of the authorization server must be the same as that of the authentication server and accounting server.
Accounting server:
  • IP address: 10.23.200.1
  • Port number: 1813
  • RADIUS shared key: Admin@123
Authorization server:
  • IP address: 10.23.200.1
  • RADIUS shared key: Admin@123
Portal server:
  • IP address: 10.23.200.1
  • Port number that the AC uses to listen on Portal protocol packets: 2000
  • Destination port number in the packets that the AC sends to the Portal server: 50100
  • Portal shared key: Admin@123
  • Encryption key for the URL parameters that the AC sends to the Portal server: Admin@123
Table 3 Radio channel data planning

Item

Data

Description

AP101

Radio 0: channel 1 and power level 10

Use the WLAN Planner to plan AP installation locations, and the working channel and power of each AP radio. Set the channel mode and power mode to fixed, and configure the channel and power for each AP.

AP102

Radio 0: channel 6 and power level 10

AP103

Radio 0: channel 11 and power level 10

Radio 1: channel 153 and power level 10

AP201

Radio 0: channel 1 and power level 10

AP202

Radio 0: channel 6 and power level 10

AP203

Radio 0: channel 11 and power level 10

Radio 1: channel 157 and power level 10

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other network devices.
  2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users, and wireless users.
  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.
  4. Configure basic WLAN services, including AC system parameters, AP management, and WLAN service parameters.
  5. Configure VAPs and deliver VAP parameters to APs.
  6. Verify the configuration to ensure that both wired and wireless users can access the Internet.

Procedure

  1. Configure network devices to communicate with each other.

    # Add GE0/0/1 to GE0/0/4 of S5700-1 to VLAN 100 (management VLAN) and VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set PVIDs for interfaces directly connected to APs. You are advised to configure port isolation on these interfaces to reduce unnecessary broadcast traffic. S5700-1 is used as an example here. The configuration on S5700-2 is similar. For details, see the configuration file of S5700-2.

    [HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1
[S5700-1-GigabitEthernet0/0/1] port link-type trunk
[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1] interface gigabitethernet 0/0/2
[S5700-1-GigabitEthernet0/0/2] port link-type trunk
[S5700-1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100   //Set a PVID for the interface directly connected to APs.
[S5700-1-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/2] stp edged-port enable
[S5700-1-GigabitEthernet0/0/2] port-isolate enable   //Configure port isolation to reduce broadcast packets.
[S5700-1-GigabitEthernet0/0/2] quit
[S5700-1] interface gigabitethernet 0/0/3
[S5700-1-GigabitEthernet0/0/3] port link-type trunk
[S5700-1-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/3] stp edged-port enable
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
[S5700-1-GigabitEthernet0/0/3] quit
[S5700-1] interface gigabitethernet 0/0/4
[S5700-1-GigabitEthernet0/0/4] port link-type trunk
[S5700-1-GigabitEthernet0/0/4] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/4] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/4] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/4] stp edged-port enable
[S5700-1-GigabitEthernet0/0/4] port-isolate enable
[S5700-1-GigabitEthernet0/0/4] quit

    # On the AC, add GE1/0/1 (connected to S5700-1) to VLAN 100 and VLAN 201, GE1/0/2 (connected to S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the controller) to VLAN 200.

    [HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] port link-type trunk
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
[AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] port link-type trunk
[AC-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 202
[AC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/2] quit
[AC] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] port link-type trunk
[AC-GigabitEthernet1/0/3] port trunk allow-pass vlan 200
[AC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/3] quit
[AC] interface gigabitethernet 1/0/4
[AC-GigabitEthernet1/0/4] port link-type trunk
[AC-GigabitEthernet1/0/4] port trunk allow-pass vlan 300
[AC-GigabitEthernet1/0/4] undo port trunk allow-pass vlan 1
[AC-GigabitEthernet1/0/4] quit

    # Configure VLANIF 200 for communication between the AC and controller.

    [AC] interface vlanif200
[AC-Vlanif200] ip address 10.23.200.2 24  //Configure an IP address for the AC to communicate with the controller.
[AC-Vlanif200] quit

  2. Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.

    # Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface address pool.

    Configure the DNS server as required. The common methods are as follows:
    • In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8> command in the VLANIF interface view.
    • In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP address pool view.
    [AC] dhcp enable
[AC] vlan batch 101 102
[AC] interface vlanif 100  //Configure an interface address pool to assign IP addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] ip address 10.23.100.1 24
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
[AC] interface vlanif 101  //Configure an interface address pool to assign IP addresses to STAs on the first floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] dhcp select interface
[AC-Vlanif101] quit
[AC] interface vlanif 102  //Configure an interface address pool to assign IP addresses to STAs on the second floor.
[AC-Vlanif102] description manage_floor2_sta
[AC-Vlanif102] ip address 10.23.102.1 24
[AC-Vlanif102] dhcp select interface
[AC-Vlanif102] quit
[AC] interface vlanif 201  //Configure an interface address pool to assign IP addresses to PCs on the first floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] ip address 10.23.201.1 24
[AC-Vlanif201] dhcp select interface
[AC-Vlanif201] quit
[AC] interface vlanif 202  //Configure an interface address pool to assign IP addresses to PCs on the second floor.
[AC-Vlanif202] description manage_floor2_pc
[AC-Vlanif202] ip address 10.23.202.1 24
[AC-Vlanif202] dhcp select interface
[AC-Vlanif202] quit

  3. Configure a RADIUS server template, configure authentication, accounting, and authorization in the template, and configure Portal authentication.

    # Configure a RADIUS server template on the AC, and configure authentication, accounting, and authorization in the template.

    [AC] radius-server template radius1  //Create the RADIUS server template radius1.
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80   //Configure the RADIUS authentication server and authentication port 1812. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80   //Configure the RADIUS accounting server to collect user login and logout information and set the accounting port number to 1813. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS server.
[AC-radius-radius1] radius-server shared-key cipher Admin@123   //Configure a shared key for the RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included   //The user name that the device sends to the RADIUS server does not carry the domain name. Configure the command when the RADIUS server does not accept the user name with the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher Admin@123   //Configure an IP address for the RADIUS authorization server, set the shared key to Admin@123, same as the authentication and accounting keys. Configure the authorization server so that the RADIUS server can deliver authorization rules to the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1  //Create the authentication scheme radius1.
[AC-aaa-authen-radius1] authentication-mode radius   //If the controller functions as the RADIUS server, the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1  //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius   //Set the accounting mode to RADIUS. To facilitate account status information maintenance on the RADIUS server, including the login and logout information, and forced logout information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1   //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1  //Bind the authentication scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1  //Bind the accounting scheme radius1.
[AC-aaa-domain-portal1] radius-server radius1  //Bind the RADIUS server template radius1.
[AC-aaa-domain-portal1] quit
[AC-aaa] quit

    # Configure the Portal server.

    [AC] web-auth-server portal1  //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1  //Configure an IP address for the Portal server.
[AC-web-auth-server-portal1] port 50100  //Set the destination port number used by the device to send packets to the Portal server to 50100 (default setting).
[AC-web-auth-server-portal1] shared-key cipher Admin@123  //Configure the shared key for message exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal  //Configure the URL of the Portal server.
[AC-web-auth-server-portal1] quit

    # Enable Portal authentication for wireless users, and configure non-authentication for wired users.

    [AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct  //Bind the Portal server template portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force  //Configure the forcible user domain portal1.
[AC-authen-profile-portal1] quit

  4. Configure APs to go online.

    # Create AP groups.

    [AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] quit

    # Create a regulatory domain profile, configure the AC country code in the profile, and apply the profile to the AP groups.

    [AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn  //Configure the AC country code. Radio features of APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-regulate-domain-domain1] quit
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] regulatory-domain-profile domain1 Warning: Modifying the country code will clear channel, power and antenna gain configurations of the radio and reset the AP. Continue?[Y/N]:y  
[AC-wlan-ap-group-ap-group2] quit
[AC-wlan-view] quit

    # Configure the AC's source interface.

    [AC] capwap source interface vlanif 100

    # Import the APs offline on the AC.

    [AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 101 ap-mac 60de-4476-e320
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1  //Add APs on the first floor to ap-group1.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102 ap-mac 60de-4476-e340
[AC-wlan-ap-102] ap-name ap-102
[AC-wlan-ap-102] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103 ap-mac dcd2-fc04-b520
[AC-wlan-ap-103] ap-name ap-103
[AC-wlan-ap-103] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201 ap-mac 60de-4476-e360
[AC-wlan-ap-201] ap-name ap-201
[AC-wlan-ap-201] ap-group ap-group2  //Add APs on the second floor to ap-group2.
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202 ap-mac 60de-4476-e380
[AC-wlan-ap-202] ap-name ap-202
[AC-wlan-ap-202] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203 ap-mac dcd2-fc04-b540
[AC-wlan-ap-203] ap-name ap-203
[AC-wlan-ap-203] ap-group ap-group2
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and antenna gain configuration s of the radio, Whether to continue? [Y/N]:y  
[AC-wlan-ap-203] quit

    # Power on the APs and run the display ap all command to check the AP state. If the State field is nor, the APs have gone online.

    [AC-wlan-view] display ap all
Total AP information:
nor  : normal          [6]
ExtraInfo : Extra information                                                                                                       
P     : insufficient power supply
-------------------------------------------------------------------------------------------------
ID   MAC            Name   Group     IP            Type            State STA Uptime ExtraInfo
-------------------------------------------------------------------------------------------------
101  60de-4476-e320 ap-101 ap-group1 10.23.101.254 AP2030DN        nor   0   10S    -
102  60de-4476-e340 ap-102 ap-group1 10.23.101.253 AP2030DN        nor   0   15S    -
103  dcd2-fc04-b520 ap-103 ap-group1 10.23.101.252 AP5030DN        nor   0   23S    -
201  60de-4476-e360 ap-201 ap-group2 10.23.102.254 AP2030DN        nor   0   45S    -
202  60de-4476-e380 ap-202 ap-group2 10.23.102.253 AP2030DN        nor   0   49S    -
203  dcd2-fc04-b540 ap-203 ap-group2 10.23.102.252 AP5030DN        nor   0   55S    -
-------------------------------------------------------------------------------------------------
Total: 6

    # Configure the AP2030DN's uplink interface GE0/0/0 and downlink interfaces Eth0/0/0 and Eth0/0/1 to allow wired service packets to pass through.

    [AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201  //The downlink interface of the AP2030DN is used to connect wired terminals, such as the PCs. Set a PVID for the interface. VLAN 201 is used to transmit wired service packets of the first floor.
[AC-wlan-wired-port-wired1] vlan untagged 201  //The downlink interface of the AP2030DN is used to connect to wired terminals. Add the interface to VLAN 201 in untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-view] wired-port-profile name wired2
[AC-wlan-wired-port-wired2] vlan tagged 201  //The uplink interface of the AP2030DN is used to connect to the upper-layer devices. Add the interface to VLAN 201 in tagged mode.
[AC-wlan-wired-port-wired2] quit
[AC-wlan-view] wired-port-profile name wired3
[AC-wlan-wired-port-wired3] vlan pvid 202  //The downlink interface of the AP2030DN is used to connect wired terminals, such as the PCs. Set a PVID for the interface. VLAN 202 is used to transmit wired service packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired3] quit
[AC-wlan-view] wired-port-profile name wired4
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-wired-port-wired4] quit
[AC-wlan-view] ap-id 101
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-102] wired-port-profile wired1 ethernet 1
[AC-wlan-ap-102] wired-port-profile wired2 gigabitethernet 0
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-201] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-201] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 0
[AC-wlan-ap-202] wired-port-profile wired3 ethernet 1
[AC-wlan-ap-202] wired-port-profile wired4 gigabitethernet 0
[AC-wlan-ap-202] quit

  5. Configure WLAN service parameters.

    # Create RRM profile rrm1. By default, the automatic channel and transmit power selection functions are enabled. When you need to manually specify the channel and power for a radio, set the channel and transmit power selection modes to fixed.

    [AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable  //Set the channel selection mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable  //Set the channel mode of the radio to fixed.
[AC-wlan-rrm-prof-rrm1] quit

    In V200R012 and later versions, the commands for configuring the channel selection and transmit power selection modes are executed in the AP group radio view or AP radio view instead of in the RRM profile view. For example, run the following commands to set the channel and transmit power selection modes of radio 0 of APs in AP group 1 to fixed:

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit

    # Create radio profiles radio-2g and radio-5g, and bind the RRM profile rrm1 to the radio files.

    [AC-wlan-view] radio-2g-profile name radio-2g
[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] radio-5g-profile name radio-5g
[AC-wlan-radio-5g-prof-radio-5g] rrm-profile rrm1
[AC-wlan-radio-5g-prof-radio-5g] quit

    # Create security profile wlan-security and set the security policy in the profile.

    [AC-wlan-view] security-profile name wlan-security  //Portal authentication has been enabled on the interface. Set the security policy to OPEN (default setting), that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] quit

    # Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.

    [AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan  //Set the SSID to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] quit

    # Create traffic profile traffic1 and configure Layer 2 user isolation.

    [AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
Warning: This action may cause service interruption. Continue?[Y/N]y

    # Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding mode and service VLANs, and apply the security profile, SSID profile, and authentication profile to the VAP profile.

    [AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel  //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101  //Set the VLAN ID to 101. By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security 
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-view] vap-profile name wlan-vap2
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel  //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102 // //Set the VLAN ID to 102. By default, the VLAN ID is 1.
[AC-wlan-vap-prof-wlan-vap2] security-profile wlan-security 
[AC-wlan-vap-prof-wlan-vap2] ssid-profile wlan-ssid 
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap2] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap2] quit

    # Bind the VAP profile and radio profile to the AP group.

    [AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 1
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g //In V200R010C00 and later versions, you need to specify the radio ID using the radio-2g-profile radio-2g radio 0 command.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio-5g // //In V200R010C00 and later versions, you need to specify the radio ID using the radio-5g-profile radio-5g radio 1 command.
[AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] ap-group name ap-group2
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 0
[AC-wlan-ap-group-ap-group2] vap-profile wlan-vap2 wlan 1 radio 1
[AC-wlan-ap-group-ap-group2] radio-2g-profile radio-2g
[AC-wlan-ap-group-ap-group2] radio-5g-profile radio-5g
[AC-wlan-ap-group-ap-group2] quit

  6. Configure VAPs and deliver VAP parameters to APs.

    # Configure VAPs.

    [AC-wlan-view] ap-id 101
[AC-wlan-ap-101] radio 0
[AC-wlan-radio-101/0] channel 20mhz 1  //Configure the channel based on the planning result of the WLAN Planner.
[AC-wlan-radio-101/0] eirp 10  //Configure the power based on the planning result of the WLAN Planner.
[AC-wlan-radio-101/0] quit
[AC-wlan-ap-101] quit
[AC-wlan-view] ap-id 102
[AC-wlan-ap-102] radio 0
[AC-wlan-radio-102/0] channel 20mhz 6
[AC-wlan-radio-102/0] eirp 10
[AC-wlan-radio-102/0] quit
[AC-wlan-ap-102] quit
[AC-wlan-view] ap-id 103
[AC-wlan-ap-103] radio 0
[AC-wlan-radio-103/0] channel 20mhz 11
[AC-wlan-radio-103/0] eirp 10
[AC-wlan-radio-103/0] quit
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 103
[AC-wlan-ap-103] radio 1  //The AP5030 supports two radios. This step configures radio 1.
[AC-wlan-radio-103/1] channel 20mhz 153
[AC-wlan-radio-103/1] eirp 10
[AC-wlan-radio-103/1] quit
[AC-wlan-ap-103] quit
[AC-wlan-view] ap-id 201
[AC-wlan-ap-201] radio 0
[AC-wlan-radio-201/0] channel 20mhz 1 
[AC-wlan-radio-201/0] eirp 10 
[AC-wlan-radio-201/0] quit
[AC-wlan-ap-201] quit
[AC-wlan-view] ap-id 202
[AC-wlan-ap-202] radio 0
[AC-wlan-radio-202/0] channel 20mhz 6
[AC-wlan-radio-202/0] eirp 10
[AC-wlan-radio-202/0] quit
[AC-wlan-ap-202] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 0
[AC-wlan-radio-203/0] channel 20mhz 11
[AC-wlan-radio-203/0] eirp 10
[AC-wlan-radio-203/0] quit
[AC-wlan-ap-203] quit
[AC-wlan-view] ap-id 203
[AC-wlan-ap-203] radio 1 
[AC-wlan-radio-203/1] channel 20mhz 157
[AC-wlan-radio-203/1] eirp 10
[AC-wlan-radio-203/1] quit
[AC-wlan-ap-203] quit

    # Deliver the configuration to the APs.

    [AC-wlan-view] commit all  //After the WLAN service configuration is complete on the AC, the configuration takes effect after you deliver it to the APs.
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y

  7. Verify the configuration.

    # After the configuration is complete, run the display vap all command. The command output shows that VAPs have been created.

    [AC-wlan-view] display vap all
WID : WLAN ID
----------------------------------------------------------------------------------
AP ID AP name    RfID WID   BSSID          Status  Auth type  STA  SSID
----------------------------------------------------------------------------------
101   ap-101     0    1     60DE-4476-E320 ON      OPEN       0    hospital-wlan
102   ap-102     0    1     60DE-4476-E340 ON      OPEN       0    hospital-wlan
103   ap-103     0    1     DCD2-FC04-B520 ON      OPEN       0    hospital-wlan
103   ap-103     1    1     DCD2-FC04-B530 ON      OPEN       0    hospital-wlan
201   ap-201     0    1     60DE-4476-E360 ON      OPEN       0    hospital-wlan
202   ap-202     0    1     60DE-4476-E380 ON      OPEN       0    hospital-wlan
203   ap-203     0    1     DCD2-FC04-B540 ON      OPEN       0    hospital-wlan
203   ap-203     1    1     DCD2-FC04-B550 ON      OPEN       0    hospital-wlan
---------------------------------------------------------------------------------
Total: 8

    # Connect STAs to the WLAN with SSID hospital-wlan. After you enter the password, the STAs can access the wireless network. Run the display station all command on the AC. The command output shows that the STAs are connected to the WLAN hospital-wlan.

    [AC-wlan-view] display station all
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
----------------------------------------------------------------------------------------------------------
STA MAC          AP ID Ap name       Rf/WLAN  Band  Type  Rx/Tx    RSSI  VLAN  IP address    SSID
----------------------------------------------------------------------------------------------------------
14cf-9208-9abf   0     ap-101        0/1      2.4G  11n   3/8      -70   10    10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0

    # STAs and PCs obtain IP addresses and connect to the network properly.

Configuration Files

  • S5700-1 configuration file

    #
sysname S5700-1
#
vlan batch 100 201
#
interface GigabitEthernet0/0/1         
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 201
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 201
 stp edged-port enable
 port-isolate enable group 1
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 201
 stp edged-port enable
 port-isolate enable group 1
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 201
 stp edged-port enable
 port-isolate enable group 1
#
return

  • S5700-2 configuration file

    #
sysname S5700-2
#
vlan batch 100 202
#
interface GigabitEthernet0/0/1         
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 202
#
interface GigabitEthernet0/0/2
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 202
 stp edged-port enable
 port-isolate enable group 1
#
interface GigabitEthernet0/0/3
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 202
 stp edged-port enable
 port-isolate enable group 1
#
interface GigabitEthernet0/0/4
 port link-type trunk
 port trunk pvid vlan 100
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 202
 stp edged-port enable
 port-isolate enable group 1
#
return

  • AC configuration file

    #
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
 portal-access-profile portal1
 access-domain portal1
 access-domain portal1 force
#
dhcp enable
#
radius-server template radius1
 radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-PTj=H1p_J<1/%ZAXuB5)0%^%#
 radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80
 radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80
 undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %^%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]$M{]DND|;=s"%^%#
#
web-auth-server portal1
 server-ip 10.23.200.1
 port 50100
 shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
 url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
 web-auth-server portal1 direct
#
aaa
 authentication-scheme radius1
  authentication-mode radius
 accounting-scheme radius1
  accounting-mode radius
 domain portal1
  authentication-scheme radius1
  accounting-scheme radius1
  radius-server radius1
#
interface Vlanif100
 description manage_ap
 ip address 10.23.100.1 255.255.255.0
 dhcp select interface
#
interface Vlanif101
 description manage_floor1_sta
 ip address 10.23.101.1 255.255.255.0
 dhcp select interface
#
interface Vlanif102
 description manage_floor2_sta
 ip address 10.23.102.1 255.255.255.0
 dhcp select interface
#
interface Vlanif200
 ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
 description manage_floor1_pc
 ip address 10.23.201.1 255.255.255.0
 dhcp select interface
#
interface Vlanif202
 description manage_floor2_pc
 ip address 10.23.202.1 255.255.255.0
 dhcp select interface
#
interface GigabitEthernet1/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 201
#
interface GigabitEthernet1/0/2
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 100 202
#
interface GigabitEthernet1/0/3
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 200
#
interface GigabitEthernet1/0/4
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 300
#
capwap source interface vlanif100
#
wlan
 traffic-profile name traffic1
  user-isolate l2
 security-profile name wlan-security
 ssid-profile name wlan-ssid
  ssid hospital-wlan
 vap-profile name wlan-vap1
  forward-mode tunnel
  service-vlan vlan-id 101
  ssid-profile wlan-ssid
  security-profile wlan-security
  traffic-profile traffic1
  authentication-profile portal1
 vap-profile name wlan-vap2
  forward-mode tunnel
  service-vlan vlan-id 102
  ssid-profile wlan-ssid
  security-profile wlan-security
  traffic-profile traffic1
  authentication-profile portal1
 regulatory-domain-profile name domain1
 rrm-profile name rrm1
  calibrate auto-channel-select disable
  calibrate auto-txpower-select disable
 radio-2g-profile name radio-2g
  rrm-profile rrm1
 radio-5g-profile name radio-5g
  rrm-profile rrm1
 wired-port-profile name wired1
  vlan pvid 201
  vlan untagged 201
 wired-port-profile name wired2
  vlan tagged 201
 wired-port-profile name wired3
  vlan pvid 202
  vlan untagged 202
 wired-port-profile name wired4
  vlan tagged 202
 ap-group name ap-group1
  regulatory-domain-profile domain1
  radio 0
   radio-2g-profile radio-2g
   radio-5g-profile radio-5g
   vap-profile wlan-vap1 wlan 1
  radio 1
   radio-5g-profile radio-5g
   vap-profile wlan-vap1 wlan 1
  radio 2
   radio-2g-profile radio-2g
   radio-5g-profile radio-5g
   vap-profile wlan-vap1 wlan 1
 ap-group name ap-group2
  regulatory-domain-profile domain1
  radio 0
   radio-2g-profile radio-2g
   radio-5g-profile radio-5g
   vap-profile wlan-vap2 wlan 1
  radio 1
   radio-5g-profile radio-5g
   vap-profile wlan-vap2 wlan 1
  radio 2
   radio-2g-profile radio-2g
   radio-5g-profile radio-5g
   vap-profile wlan-vap2 wlan 1
 ap-id 101 type-id 35 ap-mac 60de-4476-e320 ap-sn 210235419610CB002378
  ap-name ap-101
  ap-group ap-group1
  wired-port-profile wired1 ethernet 0
  wired-port-profile wired1 ethernet 1
  wired-port-profile wired2 gigabitethernet 0
  radio 0
   channel 20mhz 1
   eirp 10
 ap-id 102 type-id 35 ap-mac 60de-4476-e340 ap-sn 210235419610CB002204
  ap-name ap-102
  ap-group ap-group1
  wired-port-profile wired1 ethernet 0
  wired-port-profile wired1 ethernet 1
  wired-port-profile wired2 gigabitethernet 0
  radio 0
   channel 20mhz 6
   eirp 10
 ap-id 103 type-id 35 ap-mac dcd2-fc04-b520 ap-sn 210235419610CB002561
  ap-name ap-103
  ap-group ap-group1
  radio 0
   channel 20mhz 11
   eirp 10
  radio 1
   channel 20mhz 153
   eirp 10
 ap-id 201 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235419610CB002287
  ap-name ap-201
  ap-group ap-group2
  wired-port-profile wired3 ethernet 0
  wired-port-profile wired3 ethernet 1
  wired-port-profile wired4 gigabitethernet 0
  radio 0
   channel 20mhz 1
   eirp 10
 ap-id 202 type-id 35 ap-mac 60de-4476-e380 ap-sn 210235419610CB002984
  ap-name ap-202
  ap-group ap-group2
  wired-port-profile wired3 ethernet 0
  wired-port-profile wired3 ethernet 1
  wired-port-profile wired4 gigabitethernet 0
  radio 0
   channel 20mhz 6
   eirp 10
 ap-id 203 type-id 35 ap-mac dcd2-fc04-b540 ap-sn 210235419610CB002632
  ap-name ap-203
  ap-group ap-group2
  radio 0
   channel 20mhz 11
   eirp 10
  radio 1
   channel 20mhz 157
   eirp 10
#
return

Relevant Information

Support Community

NA

Video

NA

Parent Topic: Typical WLAN-AC Configuration (Applicable to V200R009 and Later Versions)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >